|
|
|
|
|
|
by tptacek
1122 days ago
|
|
|
Every single certificate issued by a WebPKI CA (ie: a CA whose certificates are accepted by Google or Mozilla's root programs) is logged in a globally auditable tamper-proof log. You can stand up an instance of that log, or monitor any of the existing logs yourself. You're not relying on laws to surveil the WebPKI CAs, but rather mathematics. |
|
|
CT provides a guarantee like: "hopefully one of those devices will eventually connect to a non-compromised network and report the prior compromise". By observing the lack of such reports, we can be reasonably confident compromises of size N>millions are not happening, but it's difficult to reason about what compromises may be happening at small N.